Does EU MDR require on-site supplier audits?

/ Regulatory Compliance / By /

If your organization currently markets or plans to market medical devices within the EU, you may be wondering if EU MDR1 or EU IVDR2 requires on-site audits of your suppliers. 

EU MDR/EU IVDR does require notified bodies to consider the need for both announced and unannounced audits of your suppliers depending on risks associated with the activities of the supplier and the level of control over the supplier your organization demonstrates.

Announced on-site supplier audits are certainly a concern, but with EU MDR opening the door for unannounced audits there is reason for more concern than ever.

In the case of unannounced supplier audits not only do you have to drop what you’re doing to support the audit, but your organization will need to pick up the expenses of your notified body and perhaps your supplier’s costs depending on how your quality agreement is structured. 

As if that wasn’t bad enough, any nonconformances observed will be issued as findings against your organization.  As the legal manufacturer, it is your certification that is being assessed.

Before we get into the steps of how you can mitigate these risks let’s take a quick look at what the requirements are and where they come from.

What are the requirements for notified body supplier audits?

In the preamble to the EU MDR the commission emphasizes that notified bodies have their, “right and duty to carry out unannounced on-site audits”. 

Later, in Annex VII of the regulation, the commission requires notified bodies as part of their auditing of manufacturers to:

“…identify links between, and allocation of responsibilities among, the various manufacturing sites, and identify relevant suppliers and/or subcontractors of the manufacturer, and consider the need to specifically audit any of those suppliers or subcontractors or both,…”

EU MDR1, Annex VII, Section 4.5.2(a)

The regulation goes on to say:

“…if not already covered by the audit programme, audit the control of processes on the premises of the manufacturer’s suppliers, when the conformity of finished devices is significantly influenced by the activity of suppliers and, in particular when the manufacturer cannot demonstrate sufficient control over its suppliers,…”

EU MDR1, Annex VII, Section 4.5.2(b)

This makes it clear that the commission not only requires notified bodies to conduct unannounced audits of the manufacturer but also of their suppliers if appropriate.

What can you do to mitigate the risks?

Step 1: Supplier Risk Categorization

  • Establish risk-based SOPs around Supplier Controls
  • Ensure SOPs define a clear line between those supplier categories where the conformity of the finished device is significantly influenced by the supplier’s activity from those where it is not
  • Categorize suppliers according to the established supplier risk categories
  • Maintain an approved supplier list (ASL) which includes the supplier risk category

Where you cannot establish the finished device is not significantly influenced by the supplier’s activity then you must focus on demonstrating sufficient control over your organization’s suppliers to make the case that notified body supplier audits are not required.

Step 2: Demonstrate Control of High-Risk Suppliers

  • Maintain excellent relationships and lines of communication with key high-risk suppliers
  • Establish clearly defined Quality Agreements
  • Conduct robust on-site supplier audits using qualified auditors with applicable experience based on the device or technology
  • Keep good records of audits and track the closure of any actions taken including effectiveness for nonconformances observed
  • Ensure evidence of supplier monitoring is on file including sterilization process monitoring and revalidation (if applicable)
  • Document Device Master Records (DMRs) which include reference to supplier’s specifications and SOPs
  • Consider keeping copies of the supplier’s key SOPs
  • Keep copies of example Device History Records (DHRs) available
  • Maintain up-to-date flow charts of manufacturing processes
  • Consider maintaining videos of the manufacturing process to show auditors

The idea here is to give auditors a warm and fuzzy feeling that you are in control of your suppliers.  Having all this information at the ready decreases the probability that an auditor will decide there is a lack of control and that an audit of the supplier is required.

If sufficient control of suppliers cannot be demonstrated, then you need to make sure your suppliers are well prepared for both announced and unannounced on-site audits.

Step 3: Prepare Those Suppliers Where Sufficient Control Cannot Be Demonstrated

Make sure the supplier has an SOP established with procedures for managing external audits along with the resources at the ready to support both announced and unannounced audits.  If the supplier does not have such a procedure help them establish one.

Include requirements within the quality agreement regarding the supplier’s responsibility to:

  • maintain procedures for managing notified body audits;
  • resource and support both announced and unannounced notified body audits; and
  • provide notification within designated timeframes in the case of unannounced audits.

How frequently should you expect your applicable suppliers to be audited by your notified body?

Announced Supplier Audits: This could be as frequently as once every 12 months depending on the risk classification of the device and the risk of the supplier’s activities.

Unannounced Supplier Audits: If a supplier audit is deemed necessary, this could be done at least once every five years.

Summary

If your notified body determines a supplier is required to be audited on-site due to the high risk of their activities, especially when sufficient control of the supplier cannot be demonstrated, then you should expect and prepare for both announced and unannounced audits of the supplier.

To mitigate the risks associated with both announced and unannounced notified body audits of your suppliers you should:

  1. Establish a risk-based supplier control process and identify high-risk suppliers
  2. Demonstrate sufficient control of high-risk suppliers
  3. Prepare suppliers for on-site audits where sufficient control cannot be demonstrated

NEED MORE HELP?

I hope you have found this information helpful as you work to comply with EU MDR requirements. If you need more advice or help writing or reviewing your procedures to comply, please contact me.

contact me

References:

  1. EU MDR: Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC.  https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745
  2. EU IVDR: Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU.  https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0746
Call 949-288-1289
Call 949-288-1289
Scroll to Top